Privacy Policy

Last updated: March 2026

1. Data Controller

NeuronForge UG (haftungsbeschränkt)
Brillenburgsweg 7
21614 Buxtehude, Germany
Email: hello@streamlain.de

2. Overview

StreamLain is a SaaS platform for docs, canvas, databases, automations, and AI features. We process personal data only to the extent necessary to provide our services or where you have given consent. This privacy policy informs you about the nature, scope, and purpose of personal data processing.

3. Hosting and Infrastructure

Our servers are located in Germany, operated by Hetzner Online GmbH (Industriestr. 25, 91710 Gunzenhausen, Germany). No data is transferred to third countries for hosting purposes. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in secure and efficient service provision).

4. Account Data

When you register, we process:

• Email address (required)
• Name (optional)
• Password (hashed with bcrypt, never stored in plaintext)
• Workspace membership and role

Legal basis: Art. 6(1)(b) GDPR (contract performance). Retention: Until account deletion, then fully removed within 30 days.

5. Two-Factor Authentication

To enhance account security, you can enable two-factor authentication (2FA). In this context, we process:

• TOTP secret: Stored encrypted with AES-256-GCM, used to generate time-based one-time passwords
• Backup codes: Stored hashed with bcrypt, serve as emergency access if the authentication device is lost
• Device trust cookies: Valid for 30 days, contain an HMAC-SHA256 fingerprint of the trusted device

Legal basis: Art. 6(1)(b) GDPR (contract performance) and Art. 6(1)(f) GDPR (legitimate interest in account security).

6. Third-Party Authentication (Google OAuth)

You can alternatively sign in using your Google account. When signing in via Google OAuth, Google transmits the following data to us:

• Name
• Email address
• Profile picture URL

Signing in via Google is voluntary. Registration with email and password is available as an alternative. When signing in via Google, a connection to the servers of Google LLC (Mountain View, USA) is established.

Legal basis: Art. 6(1)(a) GDPR (consent). You can revoke the connection at any time in your account settings.

International data transfer: USA. The transfer is based on the EU-US Data Privacy Framework and supplementary Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)(c) GDPR.

7. Usage Data

During platform usage, we process technically necessary data: IP address (truncated), browser type, access time, pages visited. This data is not combined with other data sources.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in service security and stability).

8. File Upload

StreamLain allows uploading files (images, documents, attachments) to workspaces. Uploads use the tus protocol (resumable uploads).

• Storage location: Hetzner servers in Germany
• Encryption: TLS 1.3 during transfer
• Deletion: Files are deleted together with the associated workspace/document, no later than 30 days after contract termination

Legal basis: Art. 6(1)(b) GDPR (contract performance — file management is a core function of the platform).

9. Cookies

The StreamLain platform uses only technically necessary session cookies for authentication. No consent is required for these (§ 25(2)(2) TDDDG). No tracking cookies or analytics cookies are used.

10. AI Features and Third-Party Providers

StreamLain offers AI-powered features (Copilot, automations with AI nodes). Data is transmitted to the following third-party providers via their API interfaces:

10.1 AI Providers

StreamLain exclusively uses EU-based endpoints for AI processing (EU Data Residency). All AI requests are processed in EU data centers (Frankfurt, Germany):

• Anthropic Claude — via Amazon Web Services (AWS) Bedrock, region eu-central-1 (Frankfurt). Data processor: Amazon Web Services EMEA SARL (Luxembourg). Anthropic, PBC is a sub-processor of AWS.
• Google Gemini — via Google Cloud Vertex AI, region europe-west3 (Frankfurt). Data processor: Google Cloud EMEA Limited (Ireland).

Users may optionally provide their own API keys for direct connections to AI providers (user-keys mode). In this case, the privacy policies and DPAs of the respective provider apply directly between the user and the provider.

10.2 What Data Is Transmitted?

Depending on the AI function: user inputs (prompts), selected document content, database entries, images for analysis. Transmission occurs exclusively to process the respective request.

10.3 No Training With Your Data (Zero Data Retention)

Your data is NOT used to train AI models. We exclusively use API interfaces from providers who contractually guarantee that API data is not used for model training.

Additionally, our EU endpoints enforce Zero Data Retention (ZDR):

• AWS Bedrock: ZDR is the default — your inputs and outputs are not stored after processing.
• Google Vertex AI: In-memory processing only with a maximum 24-hour project-isolated cache. No persistent logging.

10.4 EU Data Residency

All AI requests in managed mode (server-side processing) are processed exclusively in EU data centers:

• AWS Bedrock: Region eu-central-1 (Frankfurt, Germany)
• Google Vertex AI: Region europe-west3 (Frankfurt, Germany)

No international data transfer of AI request data occurs. The data processors (AWS EMEA, Google Cloud EMEA) are subject to European data protection law. Additionally, SCCs (Standard Contractual Clauses) are included as a fallback.

10.5 Retention by AI Providers

Through Zero Data Retention, API requests are not persistently stored after processing. In-memory processing at Vertex AI is limited to a maximum of 24 hours and is project-isolated.

Legal basis: Art. 6(1)(b) GDPR (contract performance — AI features are part of the service).

11. Payment Processing (Stripe)

For billing of paid plans, we use the payment processor Stripe, Inc. (San Francisco, USA). The following data is transmitted directly to Stripe:

• Billing address
• Payment method (credit card or SEPA direct debit)
• Email address (for payment receipts)

StreamLain does not store complete credit card data. Payment data entry occurs via Stripe Elements directly within Stripe's infrastructure. Stripe is PCI DSS Level 1 certified.

Legal basis: Art. 6(1)(b) GDPR (contract performance). International data transfer: USA, based on the EU-US Data Privacy Framework and SCCs.

12. AI Usage Tracking

StreamLain logs the use of AI features: timestamp, model used, token count, estimated cost. This serves transparency towards workspace admins (cost overview, compliance) and fulfillment of obligations under the EU AI Act (Art. 4, 26, 50).

Legal basis: Art. 6(1)(c) GDPR (legal obligation) and Art. 6(1)(f) GDPR (legitimate interest in cost transparency).

13. Data Processing Agreements

We have concluded Data Processing Agreements (DPAs) pursuant to Art. 28 GDPR with all relevant service providers. Current sub-processors:

• Hetzner Online GmbH — Hosting, server infrastructure, object storage (Nuremberg/Falkenstein, Germany)
• Amazon Web Services EMEA SARL — AI inference via Bedrock (eu-central-1 Frankfurt, Luxembourg)
• Google Cloud EMEA Limited — AI inference via Vertex AI (europe-west3 Frankfurt, Ireland)
• Stripe Ireland Limited — Payment processing (Ireland, EU-US DPF)
• Cloudflare, Inc. — DNS, CDN, DDoS protection (USA, EU-US DPF + SCCs)
• BunnyWay d.o.o. (bunny.net) — CDN, DDoS protection (Ljubljana, Slovenia / EU)

14. Data Security

We employ comprehensive technical and organizational measures:

• Encryption: AES-256-GCM for sensitive data (API keys, certificates), TLS 1.3 for data transmission
• Passwords: bcrypt hashing (OWASP compliant)
• Access control: Multi-tier role and permission system
• Integrity: Cryptographic checksums for data integrity verification
• Traceability: Logging of security-relevant operations

15. Data Protection Officer

Pursuant to § 38 BDSG (German Federal Data Protection Act), the appointment of a data protection officer is only required when 20 or more persons are regularly engaged in the automated processing of personal data. As NeuronForge UG currently does not meet this threshold, no data protection officer has been appointed.

For data protection inquiries, please contact: hello@streamlain.de

16. Automated Decision-Making

No automated decision-making including profiling within the meaning of Art. 22 GDPR takes place that produces legal effects concerning you or similarly significantly affects you.

The AI features integrated in StreamLain generate suggestions and drafts. These do not constitute automated individual decisions — the final decision on the use of AI outputs always rests with the user.

17. Your Rights

Under the GDPR, you have the following rights:

• Access (Art. 15) — What data we store about you
• Rectification (Art. 16) — Correction of inaccurate data
• Erasure (Art. 17) — Deletion of your data (“right to be forgotten”)
• Restriction (Art. 18) — Restriction of processing
• Data portability (Art. 20) — Export your data in machine-readable format
• Objection (Art. 21) — Object to processing based on legitimate interests
• Withdrawal of consent — At any time, without giving reasons

To exercise your rights, contact us at hello@streamlain.de.

18. Right to Lodge a Complaint

You have the right to lodge a complaint with a data protection supervisory authority (Art. 77 GDPR). The supervisory authority responsible for us is:

Die Landesbeauftragte für den Datenschutz Niedersachsen
Prinzenstraße 5, 30159 Hannover, Germany
www.lfd.niedersachsen.de

19. Changes to This Privacy Policy

We reserve the right to update this privacy policy to reflect changes in legal requirements or modifications to our service. The current version is always available on this page.